Skip to content

Add authenticated MCP server, oauth-proxy for chai-bot write access#82041

Open
arnavmeduri wants to merge 1 commit into
openshift:mainfrom
arnavmeduri:ship-status-auth-mcp
Open

Add authenticated MCP server, oauth-proxy for chai-bot write access#82041
arnavmeduri wants to merge 1 commit into
openshift:mainfrom
arnavmeduri:ship-status-auth-mcp

Conversation

@arnavmeduri

@arnavmeduri arnavmeduri commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Adds the config for chai-bot to create and manage outages through an authenticated MCP endpoint. The authenticated MCP receives requests through its own oauth-proxy, then calls the dashboard's protected API using a dedicated service account token.

Changes:

clusters/app.ci/ship-status-dash/dashboard/mcp-server-serviceaccount.yaml:

  • ServiceAccount mcp-server with long-lived token secret for authenticating to the dashboard's oauth-proxy

clusters/app.ci/ship-status-dash/dashboard/deployment.yaml:

  • Add MCP_MODE=public to existing MCP, add ship-status-mcp-auth container, add oauth-proxy-mcp container, add mcp-server-token volume

clusters/app.ci/ship-status-dash/dashboard/rbac.yaml:

  • Add ship-status-mcp-server ClusterRole/Binding granting namespaces/get so the MCP SA passes the dashboard oauth-proxy's SAR check

clusters/app.ci/ship-status-dash/dashboard/service.yaml:

  • Add protected-mcp port exposing oauth-proxy-mcp

clusters/app.ci/ship-status-dash/dashboard/ingress.yaml:

  • Add protected-mcp.ship-status.ci.openshift.org to TLS hosts and routing

core-services/ship-status/dashboard-config.yaml:

  • Add trusted_delegators with the MCP server SA, add chai-bot as a user on all components

Summary by CodeRabbit

Configures Chai-bot to create and manage Ship Status outages through a protected MCP endpoint.

  • Adds an authenticated MCP server and OAuth proxy backed by a dedicated service account token.
  • Exposes the protected MCP endpoint through the Ship Status service and ingress.
  • Grants the MCP service account permission to satisfy the dashboard OAuth proxy authorization check.
  • Registers the service account as a trusted delegator and adds Chai-bot ownership across dashboard components.
@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 16, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@arnavmeduri: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

Adds public and authenticated MCP deployment paths, OAuth proxying, token-based service-account authorization, protected ingress routing, and trusted delegation configuration for the Ship Status dashboard.

Changes

Protected MCP access

Layer / File(s) Summary
MCP identity and authorization
clusters/app.ci/ship-status-dash/dashboard/mcp-server-serviceaccount.yaml, clusters/app.ci/ship-status-dash/dashboard/rbac.yaml, core-services/ship-status/dashboard-config.yaml
Creates the mcp-server service account and token secret, grants namespace-read access, registers trusted delegation, and changes chai-bot owner entries to user identities.
Public and authenticated MCP runtime
clusters/app.ci/ship-status-dash/dashboard/deployment.yaml
Sets the existing MCP server to public mode and adds an authenticated MCP server with an OAuth proxy, token wiring, probes, and protected port configuration.
Protected MCP service exposure
clusters/app.ci/ship-status-dash/dashboard/service.yaml, clusters/app.ci/ship-status-dash/dashboard/ingress.yaml
Adds Service port 9443 and TLS-enabled Ingress routing for protected-mcp.ship-status.ci.openshift.org.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Ingress
  participant oauth-proxy-mcp
  participant ship-status-mcp-auth
  Client->>Ingress: HTTPS request to protected MCP hostname
  Ingress->>oauth-proxy-mcp: Route traffic to port 9443
  oauth-proxy-mcp->>ship-status-mcp-auth: Forward authenticated request to port 8091
  ship-status-mcp-auth-->>Client: MCP response
Loading

Suggested reviewers: timurmp

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding an authenticated MCP server and oauth-proxy for chai-bot access.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed The PR only changes YAML manifests/config; no Ginkgo test titles or dynamic test names were added or modified.
Test Structure And Quality ✅ Passed The PR only changes Kubernetes/config YAML; no Ginkgo or other test files were modified, so the test-structure check is not applicable.
Microshift Test Compatibility ✅ Passed No new Go/Ginkgo e2e tests were added in this PR—only Kubernetes/YAML config changes—so the MicroShift compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR changes only YAML manifests; no Ginkgo e2e tests were added, so the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed No topology-sensitive scheduling constraints were added; the changed manifests only show replicas: 1 and no nodeSelector, affinity, spread, toleration, or PDB fields.
Ote Binary Stdout Contract ✅ Passed Only YAML manifests/config changed; no main/init/TestMain/suite code or stdout writes were touched.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo/e2e test code was added; the PR only changes Kubernetes/YAML manifests, and the 127.0.0.1 URLs are runtime container settings, not tests.
No-Weak-Crypto ✅ Passed Changed files are Kubernetes/YAML manifests only; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons were introduced.
Container-Privileges ✅ Passed No privileged/root flags were added: searches found no privileged, hostPID/Network/IPC, SYS_ADMIN, runAsUser: 0, or allowPrivilegeEscalation: true in the changed manifests.
No-Sensitive-Data-In-Logs ✅ Passed Changed manifests add auth/token plumbing but no new log/debug statements or secret-printing paths that would expose sensitive data.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 16, 2026
@openshift-ci
openshift-ci Bot requested review from bear-redhat and deepsm007 July 16, 2026 20:21
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Hi @arnavmeduri. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arnavmeduri
Once this PR has been reviewed and has the lgtm label, please assign psalajova for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@clusters/app.ci/ship-status-dash/dashboard/deployment.yaml`:
- Around line 199-275: Update the ship-status-mcp-auth and oauth-proxy-mcp
container definitions to satisfy the Kubernetes container requirements. Add
securityContext entries with runAsNonRoot, readOnlyRootFilesystem,
allowPrivilegeEscalation, and dropped ALL capabilities; add CPU and memory
requests/limits to oauth-proxy-mcp; and add a livenessProbe for oauth-proxy-mcp
while preserving its existing readinessProbe.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fee977bb-1c3f-4532-b1a7-8cd6a250035b

📥 Commits

Reviewing files that changed from the base of the PR and between 939c03b and 60378ec.

📒 Files selected for processing (6)
  • clusters/app.ci/ship-status-dash/dashboard/deployment.yaml
  • clusters/app.ci/ship-status-dash/dashboard/ingress.yaml
  • clusters/app.ci/ship-status-dash/dashboard/mcp-server-serviceaccount.yaml
  • clusters/app.ci/ship-status-dash/dashboard/rbac.yaml
  • clusters/app.ci/ship-status-dash/dashboard/service.yaml
  • core-services/ship-status/dashboard-config.yaml
Comment thread clusters/app.ci/ship-status-dash/dashboard/deployment.yaml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

1 participant